• PC World
• » Security

The Code Red worm emerged from its slumber on Tuesday night to begin a second wave of attacks on the Internet. It could be days before the extent of any damage is known, but there were early signs that efforts to avert a much-talked-about meltdown of the Internet had been successful, security experts say.

"We haven't seen much overall impact," says Keith Peer, president and chief executive officer of computer security firm Central Command, based in Medina, Ohio. "There have been a few thousand infections [of servers] that we're aware of ... but nowhere near the catastrophic levels that had been predicted."

Matrix.Net, an Austin, Texas-based company that offers products for measuring Web performance, is also optimistic.

"It looks pretty quiet out there," says Joi Chevalier, a Matrix.Net marketing manager, about two hours after the worm relaunched itself.

In fact, popular Web sites in the United States, Europe, and Asia could be accessed late Tuesday night, suggesting the worst fears had yet to be realized.

Worm Goes to Work

Code Red exploits a security hole in versions 4.0 and 5.0 of Microsoft's Internet Information Server, which is included with Windows 2000 and Windows NT 4.0 and is widely used to run Web sites.

It made headlines last month when it infected more than 250,000 servers in nine hours on July 19, defacing many of them and launching a denial of service attack that slowed the Internet and disabled the White House Web site. The program has a built-in timer that caused it to relaunch itself when the clocks ticked past midnight Greenwich Mean Time on Wednesday (8 p.m. on Tuesday in New York).

The Federal Bureau of Investigation's National Infrastructure Protection Center, along with Microsoft and several other security groups, on Monday urged businesses worldwide to install a free patch from Microsoft that fixes the hole. Failure to do so could allow the worm to propagate and clog the Internet, slowing it to a crawl, they warned.

Following Instructions

Users don't have a glowing reputation for installing patches quickly, but Monday's unusual press conference may have spurred them to action and helped avert a crisis.

A Microsoft spokesperson says more than 1 million copies of the patch had been downloaded since the security hole was discovered in June. About 200,000 of those downloads occurred over a 24-hour period starting Sunday afternoon, says David Radoff, a spokesperson for Digital Island, which hosts the Web site for Microsoft where the patch is available.

That rate had increased as much as fivefold by Tuesday, he says, suggesting that as many as 1 million additional copies of the patch may have been downloaded by the end of the day. An estimated 6 million servers worldwide run Microsoft's Internet Information Server.

Microsoft says the number of downloads doesn't necessarily correspond to the number of servers that have been fixed, since some administrators may have downloaded the patch once and applied it to several servers. However, some home users may have downloaded the patch in error, thinking they needed it for their home PCs.

Home Users Safe

"We got calls from home users running Windows 98 who were trying to download the patch and said it's not working," says Marc Maiffret, chief hacking officer at eEye Digital Security, who is credited with identifying the worm. Code Red doesn't attack computers running Windows 95, 98, or ME, and home users are unlikely to be affected unless performance of the Web slows.

Maiffret notes that a variant of the worm identified last week does not deface Web sites, making it harder for companies to know when they have been affected. It also scans the Web more efficiently for unprotected servers, making it potentially far more virile.

That's partly what prompted government officials on Monday to issue their dire warnings that the worm poses "a serious and continued threat to Internet users." They feared that when the worm reawoke it would spread rapidly, scanning the Internet for unprotected servers and in the process flooding the Web with unwanted packets of data, causing it to slow.

If that were to happen it is likely it would have become apparent "a couple of hours" after the worm reawoke, Maiffret says. That didn't appear to be the case late Tuesday evening.

Denial of Service

Perhaps more damaging, the worm is also programmed to launch another denial of service attack on August 20. Such attacks flood a Web site with fake requests for data, causing it to grind to a halt or crash altogether.

The target earlier this month was the White House Web site, but a version of the worm may have been adapted to launch attacks at other popular Web sites that may not be prepared to defend themselves, says Russ Cooper, surgeon general of TruSecure and editor of the security e-mail list NTBugtraq.

Cooper says it would probably be well into Wednesday before the extent of any damage can be assessed properly. "It'll take that long to do its work," he says. "Remember, it's starting from scratch again."

If the worm does manage to identify hundreds of thousands of unprotected servers, as it did on July 19, it could have a noticeable impact on the performance of the Internet, says Peter Salus, Matrix.Net's chief knowledge officer. The slowdown would be most apparent to people who use applications that are heavy on graphics and other data, such as online games or bulk file transfers, he says.

Just in Time

However, Salus says he thinks it unlikely the disruption will be widespread, in part because administrators appear to have patched their servers in time. "I feel that by and large this will not be noticeable to most people except for a few things that may be specifically targeted, like whitehouse.gov was targeted last time."

Network Associates says it completed a scan of more than 20,000 systems on the Internet earlier on Tuesday and discovered that 1230 of them remained unprotected against Code Red.

Ravi Venkatesam, vice president of operations at Atesto Technologies, a Web performance monitoring company in Fremont, California, agrees. "How much effect it will have depends on how many servers are still not patched," he says. "I feel most large corporations would have already taken care of this."

There were no indications on Tuesday that the FBI, or the overseas law enforcement groups that it is working with, had come any closer to finding the author of Code Red.

"My guess is, like so many of the disruptive things on the Internet over the last three or four years, this is almost a teenage prank kind of thing," says Salus of Matrix.Net. "There are a lot of bright kids out there; unfortunately, some of them are bored."

• See more like this:
• Code Red,
• worm,
• virus,
• Microsoft,
• McAfee,
• FBI,
• government,
• National Infrastructure Protection Center